nginx_ssl证书双向认证以及负载均衡配置

#user nobody;
worker_processes 1;

#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;

#pid logs/nginx.pid;

events {
use epoll;#仅用于linux2.6以上内核,可以大大提高nginx的性能
worker_connections 1024;
}

http {
include mime.types;
default_type application/octet-stream;
#设定日志格式
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';

access_log logs/access.log main;

sendfile on;
#tcp_nopush on;

#keepalive_timeout 0;
keepalive_timeout 65;

#开启gzip压缩
gzip on;

#设定请求缓冲
client_header_buffer_size 128k;
large_client_header_buffers 4 128k;

server {
listen 80;
server_name localhost;

#charset koi8-r;

#access_log logs/host.access.log main;

location / {
root html;
index index.html index.htm;
}

#error_page 404 /404.html;

# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}

# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}

# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}

# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}

# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;

# location / {
# root html;
# index index.html index.htm;
# }
#}

# HTTPS server
#
#server {
# listen 443 ssl;
# server_name localhost;

# ssl_certificate cert.pem;
# ssl_certificate_key cert.key;

# ssl_session_cache shared:SSL:1m;
# ssl_session_timeout 5m;

# ssl_ciphers HIGH:!aNULL:!MD5;
# ssl_prefer_server_ciphers on;

# location / {
# root html;
# index index.html index.htm;
# }
#}
#http向https的强制跳转
server {
listen 80;
server_name ca.server.com;
rewrite ^(.*)$ https://$host$1 permanent;
}

#负载均衡
upstream https_proxy {
server 192.168.40.1:8090 max_fails=0;
server 192.168.40.1:8080 max_fails=0;
#server 192.168.40.128:8080 max_fails=0;
}

server {
listen 443 ssl;
server_name ca.server.com;
ssl on;
ssl_certificate /usr/local/nginx/ssl/ca.server.com.crt;#服务端证书
ssl_certificate_key /usr/local/nginx/ssl/ca.server.com.key;#服务端秘钥
ssl_client_certificate /usr/local/nginx/ssl/ca.server.com.chain.crt;#证书链

ssl_session_timeout 5m;
ssl_verify_depth 2;
ssl_verify_client on; #开户客户端证书验证

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

charset utf-8;

#定义服务器的默认网站根目录位置
root html;
# 定义错误提示页面
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}

location / {
proxy_redirect off;
proxy_set_header Host $http_host;
proxy_set_header Client-Cert $ssl_client_cert; # 将客户端证书放到http头中传递给后端的tomcat
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_set_header X-Forwarded-Proto $scheme;#对应tomcat的server.xml的设置
add_header Power-By-Tyumen "$upstream_cache_status from $hostname";
proxy_pass http://https_proxy;
proxy_buffer_size 4k;
proxy_buffers 256 4k;
proxy_max_temp_file_size 0;
proxy_connect_timeout 30;
proxy_send_timeout 15;
proxy_read_timeout 600;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
location = /favicon.ico { ## 采用完全匹配模式
log_not_found off; ## 不写 error.log
access_log off; ## 不写 access.log
}
#access_log /data/logs/https_proxy.log custom_log;
}

}